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Updates / Features 

• Added iOS 8.0 - 8.2 support for persistent installations. The installer now supports the 
following devices for iOS versions 7.x - 8.2: 

• iPad2,1 -> iPad 2 WiFi Only 

• iPad2,2 -> iPad 2 GSM 

• iPad2,3 -> iPad 2 CDMA 

• iPad2,4 -> iPad 2 Revision A 

• iPad2,5 -> iPad Mini WiFi Only 

• iPad2,6 -> iPad Mini GSM 

• iPad2,7 -> iPad Mini GSM+CDMA 

• iPad3,1 -> iPad 3 WiFi Only 

• iPad3,2 -> iPad 3 CDMA 

• iPad3,3 -> iPad 3 GSM 

• iPad3,4 -> iPad 4 WiFi Only 

• iPad3,5 -> iPad 4 GSM 

• iPad3,6 -> iPad 4 GSM+CDMA 

• iPad4,1 -> iPad Air WiFi 

• iPad4,2 -> iPad Air WiFi+Cellular 

• iPad4,4 -> iPad Mini 2G WiFi 

• iPad4,5 -> iPad Mini 2G WiFi+Cellular 

• iPad4,7 -> iPad Mini 3 WiFi Only 

• iPad4,8 -> iPad Mini 3 WiFi+Cellular 

• iPad5,3 -> iPad Air 2 WiFi Only 

• iPad5,4 -> iPad Air 2 WiFi+Cellular 

• iPhone3,1 -> iPhone 4 GSM 

• iPhone3,2 -> iPhone 4 GSM Revision A 

• iPhone3,3 -> iPhone 4 CDMA 

• iPhone4,1 -> iPhone 4S 

• iPhone5,1 -> iPhone 5 GSM 

• iPhone5,2 -> iPhone 5 GSM+CDMA 

• iPhone5,3 -> iPhone 5C GSM 

• iPhone5,4 -> iPhone 5C Global 

• iPhone6,1 -> iPhone 5S GSM 

• iPhone6,2 -> iPhone 5S Global 

• iPhone7,1 -> iPhone 6 Plus Global 

• iPhone7,2 -> iPhone 6 Global 

• iPod5,1 -> iPod Touch 5th Gen 

• Added -nonpersistent, -start options to installer 
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Prerequisites 

• OS X Yosemite 1 0.1 0 or later (untested on OS X 1 0.9 Mavericks, but should work) 

• iTunes 12.0 or later 
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Overview 

The nsinstaller script installs a persistent implant on a device. It is a simple, 1 step process that 
should take no longer than a minute to complete. The most basic way to install is to do: 

$ ./nsinstaller nspkg.pyz files.zip 

When running nsinstaller, the PyCrypto distribution must be included in the same directory as 
nsinstaller or installed permanently on your machine. 
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Implant Requirements 

The files.zip zip file passed to the installer must be of the following format: 

files.zip 

files/ 

libdyld.dylib 
other files ... 

Where libdyld.dylib is the main implant library that will load on every boot, libdyld.dylib must be 
compiled for the right architecture that matches the target device. Multiple libdyld.dylib files may be 
included to support multiple architectures, like so: 

files.zip 

files/ 

1 i bdyl d . dyl i b_a r m64 
libdyld.dylib_armv7s 
libdyld.dyli b_a r mv7 
other files ... 

The implant library must also satisfy the remaining requirements for successful installation: 

1 . Be compiled as a dynamic library (-dynamiclib flag for clang) 

2. Be statically linked against the SAL object file, sal.obj (included in this release) 
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General Usage 

The installer contains several options and are described by using the -help option, like so: 

$ ./nsinstaller -help 

usage: nsinstaller [-h] [ — version] [--deactivate] [-u INSTALLER] [-q] [-p] 
[-a] [-r] [-k] [-g] [--dmg-path DMG_PATH] 

[--host-path H0ST_PATH] [--start] [--nonpersistent] [-v] 
nspkg_path clientzip_path 

Installs a package onto a device 


positional arguments: 

nspkg_path path to the nspkg.pyz 

clientzip_path path to the client zip file containing the install 

files 


optional arguments: 

-h, --help show this help message and exit 

— version show program's version number and exit 

--deactivate Deactivate after installation. This is disabled by 

default. 

-u INSTALLER, -use-installer INSTALLER 

Force a particular installer. Will not always work. 
Let it auto-detect. 

-q, --quiet Causes installer to keep quiet. Otherwise, it will 

beep for user interaction. 

-p, --noprompt Installs without any user interaction. 

-a, -announce-success 

Make a sound when the installer completes a 

successful 


installation 

-r, --no-reboot Disable reboot after install. Default is always 

reboot. 

-k, — kick-recovery Boot a device into normal mode that is stuck in 
recovery mode. 

-g, -generate-zip Generate a zip file with the installer and its 

encrypted tasking for use with 3rd party clients, 
--dmg-path DMG_PATH path to a directory of dmgs used for the install 
-host-path H0ST_PATH 

path of the host app to execute on 
— start Start payload immediately 

--nonpersistent Perform a nonpersistent installation 

-v, — verbose Verbose log messages 
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Installing Without Deactivation 

To install on a device without deactivation, plug in the device via USB. If the device has never 
been paired with the device, make sure you hit the ‘trust’ option on the main screen: 
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Once a device is trusted and paired, run the nsinstaller script: 

$ ./nsinstaller nspkg.pyz files.zip 
Searching for devices... 

.Found Device(s) 

Performing Survey 

============= Survey ============== 

Device Information: ee254859b8a965b0ca3588743343f7a68e45a6fd 

BluetoothAddress : 84 : 8e : 0c : a9 : b9 : 21 

BuildVersion: 12D508 

CPUArchitecture: arm64 

DeviceClass: iPad 

DeviceColor: #3b3b3c 

DeviceName: shark’s iPad 

DielD: 6282634782416 

FirmwareVersion: iBoot-2261.5.64 

HardwareModel : J85AP 

HardwarePlatform: s518960x 

MLBSerialNumber : DLX34921JWQFH1JAE 

ModelNumber: ME276 

PasswordProtected: False 

ProductType: iPad4,4 

ProductVersion: 8.2 

SIMStatus : kCTSIMSupportSIMStatusReady 
SerialNumber: DLXLXFWVFCM5 
TelephonyCapability: False 
UniqueChipID: 6282634782416 

UniqueDevicelD: e e254859b8a965b0ca3588743343f7a68e45a6fd 
WiFiAddress: 84:8e:0c:a9:b9:20 

############################################################ 

############################################################ 

Please make sure device is activated and is not PIN locked. 
############################################################ 
############################################################ 

Press Enter to continue or Ctrl-C to quit 
Killing Processes :Xcode iTunes iTunesHelper 
No matching processes belonging to you were found 
starting install process 

files/libdyld.dylib_armv7 has architecture armv7 but target arch is arm64, skipping 
this file 

files/libdyld.dylib_armv7s has architecture armv7s but target arch is arm64, skipping 
this file 

Executing installer, this may take a minute on initial run... 


Did NOT receive a return value 

Successfully ran installer, device should be rebooting now 
$ 

The device should reboot and start the implant on the startup. 
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Installing With Deactivation 

To install with deactivation, use the —deactivate option: 

$ ./nsinstaller -deactivate nspkg.pyz files.zip 
On reboot, the device will be deactivated. 
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Advance Options 

This section describes in detail what the other options in the nsinstaller script do and their typical 
usage. 

Quiet 

The —quiet option will cause the install to not play a sound after a successful installation. Since a 
reboot occurs immediately, the sound will likely not be heard either way, unless the -no-reboot 
option is used. 

No Prompt 

The —noprompt option does not prompt the user to press the Enter key before installing. Useful 
when no user interaction is needed (scripting, automated tests, etc.) 

Announce Success 

Unused. 

No Reboot 

The -no-reboot option will cause the install to not reboot - useful when paired with the -start flag 
to test the implant without waiting for a reboot. 

Kick Recovery 

Should not be needed since the installer does not place device into recovery mode. 

Generate Zip 

Generates an installer that can be run by a third-party implant. 

DMG Path 

The — dmg-path option is required for iOS 7.x installations, which must be set to a directory 
containing the Developer Disk Images from Xcode. for iOS 8.x installations, this option is not 
required. 

Host Path 

Developer option used for internal testing - do not use. 

Start 
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The -start option will start the implant immediately after installation - by itself, this will do nothing 
since the install reboots the device, but paired with the -no-reboot option will start the implant 
without rebooting. 

Non Persistent 

The — nonpersistent option will not persist the implant, so its only useful when paired with —no- 
reboot and -start options. 
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Troubleshooting 

Installer Errors 

iOS 8.x installations sometimes fail, and although the installer will retry again, a simple way to fix the 
issue is to CTRL+C the installer, reboot the device manually, and try again. 

Device IS PIN-Locked/Not Trusted 

If the nsinstaller script gives you the following error: 

Device is PIN-locked/Not trusted and does not having pair record with this 
computer, checking for PIN-bypass 

No PIN-bypass installer available for device - remove pin-lock to install, 
exiting 

No installer for device 

This means the pairing was not successful or still processing. Retry by disconnecting the device, 
reconnect, wait a few seconds, and if the “Do you trust this device” pop up is not displayed, the 
device should be paired and the install should succeed. 
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Known Issues 

• iOS 8.x installations may get into a never-ending fail loop. Mitigation - Stopping the script and 
rebooting the device. 
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